SWE3002 - Information and System Security Module 1 Topic 2 & 3 PDF

Summary

These notes cover information and system security, focusing specifically on Module 1, topics 2 and 3. The document details various security concepts, including security attacks, security mechanisms, and security services. It provides examples and explanations related to these concepts.

Full Transcript

SWE3002 – Information and System Security Module 1 – Topic 2 & 3 OSI security architecture 🠶 The OSI security architecture focuses on security attacks, mechanisms, and services. 🠶 Security attack: Any action that compromises the security of information owned by an organization. 🠶 Sec...

SWE3002 – Information and System Security Module 1 – Topic 2 & 3 OSI security architecture 🠶 The OSI security architecture focuses on security attacks, mechanisms, and services. 🠶 Security attack: Any action that compromises the security of information owned by an organization. 🠶 Security mechanism: A process that is designed to detect, prevent, or recover from a security attack. 🠶 Security service: A processing or communication service that enhances the security of the data processing systems and the information transfers of an organization. OSI security architecture Security attacks Security Mechanism Security Service Security attacks Security attacks - Passive 🠶 Two kind of attacks 🠶 A passive attack attempts to learn or make use of information from the system but does not affect system resources. 🠶 Active attack attempts to alter system resources / affect operation. 🠶 The goal is to obtain information that is being transmitted. 🠶 Two types of passive attacks are the release of message contents and traffic analysis. 🠶 The release of message contents is easily understood. 🠶 A telephone conversation, an email message, a transferred file may contain sensitive or confidential information. 🠶 We would like to prevent an opponent from learning the contents of these transmissions. Security attacks - Passive 🠶 A second type of passive attack, traffic analysis, 🠶 Suppose that we had a way of masking the contents of messages or other information traffic so that opponents, even if they captured the message, could not extract the information from the message. 🠶 Common technique for masking contents is encryption. 🠶 Passive attacks are very difficult to detect, because they do not involve any alteration of the data. Security attacks – Passive example Security attacks – Passive Security attacks - Active 🠶 Active attacks involve some modification of the data stream or the creation of a false stream and can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service masquerade 🠶 In a masquerade attack, the intruder pretends to be a particular user of a system to gain access or to gain greater privileges than they are authorized for. Masquerade attacks are conducted in several different ways, including the following: 🠶 using stolen login identifications (IDs) and passwords; 🠶 finding security gaps in programs; and 🠶 bypassing the authentication Replay 🠶 Replay Attack is a type of security attack to the data sent over a network. In this attack, the hacker or any person with unauthorized access, captures the traffic and sends communication to its original destination, acting as the original sender. 🠶 The receiver feels that it is an authenticated message but it is actually the message sent by the attacker. The main feature of the Replay Attack is that the client would receive the message twice, hence the name, Replay Attack. Message modification 🠶 Modification of messages simply means some portion of a message is altered, or messages are delayed or reordered, to produce an unauthorized effect 🠶 For example, a message meaning “Allow Ram to read confidential file accounts” is modified to mean “Allow Ravi to read confidential file accounts.” Denial of service 🠶 The denial of service prevents or inhibits the normal use or management of communications facilities (path 3 active). 🠶 This attack may have a specific target; for example, an entity may suppress all messages directed to a particular destination (e.g., the security audit service). Denial of Service Security Services 🠶 Authentication 🠶 Access Control 🠶 Confidentiality 🠶 Integrity 🠶 Non repudiation Authentication 🠶 Authentication is the mechanism to identify the user or system or the entity. It ensures the identity of the person trying to access the information. The authentication is mostly secured by using username and password. The authorized person whose identity is preregistered can prove his/her identity and can access the sensitive information. Access Control 🠶 The principle of access control is determined by role management and rule management. Role management determines who should access the data while rule management determines up to what extent one can access the data. The information displayed is dependent on the person who is accessing it. Confidentiality 🠶 The degree of confidentiality determines the secrecy of the information. The principle specifies that only the sender and receiver will be able to access the information shared between them. Confidentiality compromises if an unauthorized person is able to access a message. 🠶 For example, let us consider sender A wants to share some confidential information with receiver B and the information gets intercepted by the attacker C. Now the confidential information is in the hands of an intruder C. Integrity 🠶 Integrity gives the assurance that the information received is exact and accurate. If the content of the message is changed after the sender sends it but before reaching the intended receiver, then it is said that the integrity of the message is lost. Nonrepudiation 🠶 Nonrepudiation provides proof of the origin, authenticity and integrity of data. It provides assurance to the sender that its message was delivered, as well as proof of the sender's identity to the recipient. This way, neither party can deny that a message was sent, received and processed. 🠶 Nonrepudiation prevents either sender or receiver from denying a transmitted message. Security mechanism Security Mechanism Pervasive Specific security security Specific security mechanism Specific Security mechanism Authentica Encipher Access Data Traffic Routing Digital Notarization tion ment control Integrity padding Control Signature exchange Encipherment 🠶 This security mechanism deals with hiding and covering of data which helps data to become confidential. It is achieved by applying mathematical calculations or algorithms which reconstruct information into not readable form Access Control 🠶 A variety of mechanism that enforce access rights to resources Notarization 🠶 This security mechanism involves use of trusted third party in communication. It acts as mediator between sender and receiver so that if any chance of conflict is reduced. This mediator keeps record of requests made by sender to receiver for later denied. Data Integrity 🠶 A variety of mechanisms used to assure the integrity of a data unit or stream of data units Authentication exchange 🠶 This security mechanism deals with identity to be known in communication. This is achieved at the TCP/IP layer where two-way handshaking mechanism is used to ensure data is sent or not Bit stuffing /Traffic padding 🠶 This security mechanism is used to add some extra bits into data which is being transmitted. It helps data to be checked at the receiving end and is achieved by Even parity or Odd Parity. Digital Signature 🠶 It is form of electronic signature which is added by sender which is checked by receiver electronically. This mechanism is used to preserve data which is not more confidential but sender’s identity is to be notified. Routing control 🠶 Enables selection of particular physically secure routes for certain data and allow routing changes especially when breach security is suspected. Pervasive security mechanism Pervasive security mechanism Trusted Security Even Security Security Functionality label Detection Audit Trail recovery Trusted Functionality 🠶 The process that which is recognized to be correct regarding some criteria such as established by a security policy. Security label 🠶 A general term used to describe a label that has been designed to help improve the security of the object to which it is applied. Event detection 🠶 Detection security relevant events Security audit trial 🠶 Data collected and potentially used to facilitate a security audit which is an independent review and examination of system records Security recovery 🠶 Mechanism related to recovery actions

Use Quizgecko on...
Browser
Browser